Recon 2022

Researching the Unisoc baseband, like in the army
06-03, 15:30–16:00 (US/Eastern), Grand Salon

For the first time, we looked at the Unisoc baseband as a target for security research. We reverse-engineered and fuzzed the implementation of the NAS protocol to find a way to disrupt the device's radio communication with a malformed packet.


Do you still remember push-button phones? Many of them were based on chips from Spreadtrum, a Chinese chip manufacturer founded in 2001.
In 2018, there was a rebranding, and Spreadtrum became known as Unisoc. Nowadays, the manufacturer produces budget chipsets that power 2/3/4/5G devices from smartphones to smart TVs. Unisoc is extremely popular in Africa and Asia due to the low price of the devices. By the end of 2021, Unisoc is firmly ranked as the fourth largest smartphone chip manufacturer in the world (after MediaTek, Qualcomm and Apple) with 10% of the global market.

Despite the fact that Unisoc has been on the market for a long time, the firmware of Unisoc chips is very little studied, including the baseband. There is no reference of any Unisoc baseband vulnerabilities on the Internet.
In this study, we researched the Unisoc baseband to find a way to remotely disable modem services on Unisoc-based smartphones. We reverse-engineered the implementation of the LTE protocol stack and discovered vulnerabilities blocking communications.

See also:

Slava Makkaveev is a Security Researcher at Check Point Research. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security. Slava was a speaker at REcon, DEF CON, CanSecWest, HITB and others.